Reverse engineering VxWorks (which replaces Linux on newer routers)

The Linksys router seen about is a WRT54G version 1. It famously runs Linux and was the source of much hacking back in the heyday, leading to popular alternative firmware packages such as DD-WRT and Tomato. But the company went away from a Linux-based firmware starting with version 8 of the hardware. Now they are using a proprietary Real Time Operating System called VxWorks.

[Craig] recently put together a reverse engineering guide for WRT54Gv8 and newer routers. His approach is purely firmware based since he doesn’t actually own a router that runs VxWorks. A bit of poking around in the hex dump lets him identify different parts of the files, leading to an ELF header that really starts to unlock the secrets within. From there he carries out a rather lengthy process of accurately disassembling the code into something that makes sense. The tool of choice used for this is IDA Pro diassembler and debugger. We weren’t previously familiar with it, but having seen what it can do we’re quite impressed.

[Image via Wikimedia Commons]

Comments

  1. Roel says:

    IDA has been the de facto standard for reverse engineering since decades. Shame on you ;)

  2. Boris says:

    Someone familiar with reverse engineering of virtually any code, yet unfamiliar with IDA ? That’s strange ;)

  3. blub says:

    please just buy the GL version it has linux on it and shows the manufactur that we care about what they put on the routers

  4. danman1453 says:

    Agreed. Then again, how much software reverse engineering do we do here? Not much when it comes to coding a ‘duino.

  5. fartface says:

    @blub Great idea if your laptop and gear are from the stone age. I use N wireless for high speeds and 1000bt for my network. the 10 year old GL version is so out of date it cant do any of that.

    The GL version is great for the poor and the luddites, but for any real speeds at home or the office you need newer hardware, and nothing is available.

  6. _txf_ says:

    @blub

    There are much better routers that accept linux firmware. I have a netgear wndr3700, expensive but extremely powerful.

  7. tooth says:

    i got one and flashed it just to make my tv stand and any thing that hooks up via Ethernet wireless.

  8. chango says:

    I wish there was a “day pass” license for IDA Pro. I would pay $30 for this privilege, but I can’t really justify $500+ for a tool I might use once or twice a year for personal projects.

  9. Dax says:

    Color me ignorant, but Linux in its own right isn’t hard real time, so a router would have to have a RT-kernel underneath to do the timing sensitive bits anyways, or throw enough hardware at it that the Linux kernel would be able to always keep up.

    So, isn’t it actually counter-productive to run Linux on top because it just takes more processing power for what 99.99% of the users don’t really care for anyways?

  10. cgimark says:

    If you can’t afford IDA there are alternatives. Embedded gear is usually either ARM or MIPS and recstudio can do that for free. Version 4 beta is out and does quite well ,even decompiles.

    http://www.backerstreet.com/rec/rec.htm

  11. lwatcdr says:

    Is there any good FOSS wifi router sofware that runs on x86 Linux?
    A good number of people have personal NAS or even a firewall like smoothwall. Seems to me that instead of using a router like this you could just add a wifi card to your server or firewall and have one less device to worry about. You might even save a little power if you are running the server or firewall anyway.

  12. xorpunk says:

    never use a decompiler to document code..especially the ones in IDA..

    it’s more productive to trace and comment code, xrefs also help.

    x86 bios reversing is done the same deflate->?decrypt->trace&document. ARM is actually easier than x86 when it comes to bios/real-mode.

  13. Charlie says:

    Remember the Hacker Ethic. It’s doesn’t always need to be better to be a proof of concept. It’s just a different way of doing things. Sometimes it works better, sometimes not. The important thing is.. There IS a different way to do things.

    Take the Narrow road. It may not be as fast, but the views are better and at the end is a much nicer place.

  14. James says:

    dd-wrt has a package that runs on x86 linux and works fantastic

    http://www.dd-wrt.com/wiki/index.php/X86

  15. isama says:

    lwatcdr: there is astaro which is good but needs 1gb of ram to run smooth, it has stuff like bgp and thrunking built in so its is likely to be overpowered. On the other hand a debian box with shorewall runs smoothly with 256m or less. it it harder but more fun! :D

  16. chango says:

    cgimark: Thanks. I just grabbed REC, and while it does MIPS (handy for this project) it doesn’t do ARM. Promising though, next time I have to do work with x86.

  17. ngnlabs says:

    Nice – good to see IDA Pro getting coverage. the dogs bollocks as far as debug and reverse engineering ASM goes.

  18. dklight says:

    OpenWRT is much better than ddwrt, speciallly on x86. It has tons of packages (very similar to debian), and a nice web interface.

  19. MpegMaster says:

    Tomato is the BEST of the BEST!!!

    http://www.linksysinfo.org/forums/forumdisplay.php?f=160

    Cheers!!!

  20. Gösta says:

    Awesome!

  21. Jfiliault says:

    Hey I have 8 years of VxWorks experience if anyone needs any help with this. I work for a really BIG company that uses VxWorks all the time. Let me know if I can be of any use! -Justin

  22. Rogan Dawes says:

    @fartface Check the list of supported hardware on the OpenWRT site. e.g. Buffalo WZR GN300HP has 4+1GbE ports, N, USB, 32MB flash, 64MB RAM, etc.

    NetGear also has a nice router with OpenWRT support.

  23. Trollicus Rex says:

    I have a v 1 running DDRT.

    With some good aftermarket antennas and a hacked heatsink/fan I have the power cranked to 80%.

    Now if I could only figure out a way to boost the power from my network card(my soup can helps but doesn’t increase my transmitting power)

    Being at the “End of the line” for DSL in my area the only way some of my neighbors can get online is through my connection which I leave open for their use.

    Any one know of a good hackable wireless cards, or at least one with a good pwr output?

  24. Paul says:

    You know that VxWorks is the O/S that runs the Mitel SX200, SX2000 and 3300 PABXs?

    A handy command from the rudimentary shell is lkup, e.g.

    lkup “fred”

    will lookup any command or symbolic link that contains ‘fred’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,598 other followers